Skip to content

chore(auth): upgrade better-auth 1.3.12 → 1.6.11#4766

Merged
waleedlatif1 merged 3 commits into
stagingfrom
waleedlatif1/better-auth-upgrade-audit
May 28, 2026
Merged

chore(auth): upgrade better-auth 1.3.12 → 1.6.11#4766
waleedlatif1 merged 3 commits into
stagingfrom
waleedlatif1/better-auth-upgrade-audit

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented May 28, 2026

Summary

  • Bump better-auth, @better-auth/sso, @better-auth/stripe from 1.3.12 → 1.6.11
  • Rename deprecated APIs: onEmailVerificationafterEmailVerification, forgetPasswordrequestPasswordReset, organizationCreation.afterCreateorganizationHooks.afterCreateOrganization
  • Move nextCookies() to end of plugins array (1.6.10 fix — earlier position dropped Set-Cookie headers from later plugins' hooks.after)
  • Opt out of new requireLocalEmailVerified default to preserve OAuth-linking behavior
  • Gate requireEmailVerificationOnInvitation on isEmailVerificationEnabled so self-hosted invite flow still works without SMTP
  • Set freshAge: 0 (1.6 recalculates freshness from createdAt, not last activity)
  • Drop Stripe getCheckoutSessionParams line_items override (1.6.10 strips it; pre-checkout seat picker already exists)
  • Drop dead pages config (never a valid option) and unused signIn/signUp re-exports
  • Migration 0216_* adds 6 nullable columns for new better-auth Stripe + JWKS fields

Type of Change

  • Improvement (dependency upgrade)

Testing

  • Auth route tests: 60/60 passing
  • type-check and check:api-validation clean
  • Smoke-tested dev server: /api/auth/get-session, /api/auth/jwks, /api/auth/forget-password, OIDC discovery — all 200
  • Migration is 6 nullable ADD COLUMN only — no destructive ops

Follow-up (separate PR)

  • oidcProvider@better-auth/oauth-provider migration — requires data migration of live OAuth client rows + one-way client_secret hashing. Plan documented in .context/better-auth-upgrade/OAUTH-PROVIDER-MIGRATION.md.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link
Copy Markdown

vercel Bot commented May 28, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped May 28, 2026 4:13pm

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented May 28, 2026
edited
Loading

PR Summary

High Risk
Touches core authentication, sessions, OAuth linking, Stripe checkout, and org invites; incorrect config could break login, cookies, or billing flows despite nullable DB changes.

Overview
Upgrades better-auth (and @better-auth/sso / @better-auth/stripe) from 1.3.12 → 1.6.11 and aligns the app with renamed or stricter library behavior.

API renames: forgetPasswordrequestPasswordReset on the forget-password route and tests; onEmailVerificationafterEmailVerification; organization organizationCreation.afterCreateorganizationHooks.afterCreateOrganization. createAuthMiddleware is imported from better-auth/api instead of better-auth/plugins.

Auth behavior tweaks: session.freshAge set to 0; requireLocalEmailVerified: false on account linking; requireEmailVerificationOnInvitation tied to isEmailVerificationEnabled; oneTimeToken.expiresIn corrected to minutes (24 * 60). Removed invalid pages config, unused signIn/signUp exports, throwOnMissingCredentials / throwOnInvalidCredentials, and Stripe checkout line_items override (promo codes only). nextCookies() moved to the end of the plugins array so later plugins’ cookies are not dropped.

Email: OTP templates/subjects add change-email for better-auth’s expanded OTP types.

Data: Migration 0216_* adds nullable Stripe subscription and JWKS columns expected by 1.6.

Reviewed by Cursor Bugbot for commit 5a8b8ab. Configure here.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 28, 2026
edited
Loading

Greptile Summary

This PR upgrades better-auth (and its @better-auth/sso / @better-auth/stripe companions) from 1.3.12 to 1.6.11, migrating all deprecated APIs and adapting the auth configuration to the behavioral changes introduced in the new major minor versions.

  • API renames: onEmailVerificationafterEmailVerification, forgetPasswordrequestPasswordReset, organizationCreation.afterCreateorganizationHooks.afterCreateOrganization, matching the better-auth 1.6 migration guide; all test mocks are updated in parallel.
  • Plugin ordering fix: nextCookies() moved to the end of the plugins array — a required 1.6.10 fix that prevented Set-Cookie headers from plugins registered after it from being emitted.
  • oneTimeToken expiry correction: expiresIn changed from 24 * 60 * 60 (= 86 400, which the docs confirm is treated as minutes, meaning tokens previously lived 60 days) to 24 * 60 (= 1 440 minutes = 24 hours) — applied consistently in both auth.ts and packages/auth/src/verify.ts; a database migration adds 6 nullable columns required by the new Stripe and JWKS schema fields.

Confidence Score: 5/5

Safe to merge — all changes are additive migrations or API renames with no destructive database operations and no behavioral regressions on critical auth paths.

Every changed file corresponds directly to a documented better-auth 1.6 migration step. The oneTimeToken expiry correction fixes a latent bug where tokens lived 60 days instead of 24 hours. The database migration is purely additive. Previously raised concerns about freshAge and OTP type coverage have been addressed in follow-up commits.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/lib/auth/auth.ts Core auth config: all deprecated API renames applied correctly, nextCookies() moved to end, requireLocalEmailVerified opted out, requireEmailVerificationOnInvitation gated on SMTP, freshAge set to 0 (addressed in prior thread), getCheckoutSessionParams simplified per 1.6.10 line_items stripping, and unused pages/re-export dead config removed.
packages/auth/src/verify.ts oneTimeToken expiresIn corrected from 86400 to 1440 (minutes unit), matching the fix in auth.ts.
apps/sim/app/api/auth/forget-password/route.ts Single call site updated from auth.api.forgetPassword to auth.api.requestPasswordReset; all test expectations updated consistently.
packages/db/migrations/0216_colorful_cobalt_man.sql Additive-only migration: 6 nullable ADD COLUMN statements for new better-auth Stripe and JWKS fields; no destructive operations.
packages/db/schema.ts Schema additions match the migration SQL exactly: 5 nullable columns on subscription table and 1 nullable expiresAt on jwks table.
apps/sim/components/emails/render.ts renderOTPEmail type union broadened to include change-email.
apps/sim/components/emails/subjects.ts EmailSubjectType union and subject map updated to include change-email with a dedicated subject line.

Reviews (3): Last reviewed commit: "fix(auth): correct oneTimeToken expiresI..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 28, 2026
View reviewed changes
Comment thread apps/sim/lib/auth/auth.ts
Comment thread apps/sim/lib/auth/auth.ts
Comment thread packages/db/migrations/0216_colorful_cobalt_man.sql Outdated
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@cursor review

cursor[bot]
cursor Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 6d360b4. Configure here.

@waleedlatif1
fix(auth): correct oneTimeToken expiresIn unit (minutes, not seconds)
5a8b8ab 
Better-auth's oneTimeToken expiresIn is in minutes (multiplied by 60_000ms
internally). Sim's existing 24*60*60 evaluated to ~60 days of token
lifetime instead of the intended 24 hours. Tokens are one-time-use and
typically consumed within seconds of generation (Socket.IO handshake),
so this tightens an unused security window without affecting UX.
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@cursor review

cursor[bot]
cursor Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 5a8b8ab. Configure here.

Bekacru
Bekacru reviewed May 28, 2026
View reviewed changes
Comment thread apps/sim/lib/auth/auth.ts
@waleedlatif1 waleedlatif1 merged commit 34c47f7 into staging May 28, 2026
14 checks passed
@waleedlatif1 waleedlatif1 deleted the waleedlatif1/better-auth-upgrade-audit branch May 28, 2026 18:25
@waleedlatif1 waleedlatif1 mentioned this pull request May 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@Bekacru Bekacru Bekacru left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waleedlatif1 @Bekacru